b'                                       UNCLASSIFIED\n\n\n\n           MEMORANDUM REPORT NUMBER IT-A-02-03\n       Challenges to Successful OpenNet Plus Implementation\n\n                                          March 2002\n\n\n\nThe OpenNet Plus program is intended to provide every employee of the Depart-\nment of State (the Department) with desktop access to the Internet\xe2\x80\x99s World Wide\nWeb. The Internet has become an indispensable source of information and a univer-\nsal method for rapid communications among organizations engaged in government\nand business transactions worldwide. Department employees have also become\nincreasingly dependent on the Internet to help them carry out their foreign affairs\nactivities in a reliable, fast, and cost-effective manner.\n\n    In accordance with our goal of helping to ensure more effectiveness, efficiency,\nand security in the Department\xe2\x80\x99s information technology (IT) operations and infra-\nstructure, OIG conducted a review of the OpenNet Plus program. This report\nfocuses on the Department\xe2\x80\x99s approach to implementing OpenNet Plus domestically\nand at overseas embassies and consulates. Specific objectives of our review were to\n(1) determine whether the Department is adequately planning and managing deploy-\nment of OpenNet Plus, (2) determine whether the Department has taken adequate\nsteps to ensure security of the OpenNet Plus infrastructure, and (3) identify plans\nand procedures for monitoring and ensuring proper use of the Internet in accor-\ndance with established policy guidelines. The purpose, scope, and methodology for\nour review are discussed in Appendix A.\n\n\n\nRESULTS IN BRIEF\nDesktop access to the Internet will be invaluable in supporting Department employ-\nees with the information and communications needed to carry out their foreign\naffairs responsibilities on a day-to-day basis. The Department is taking a structured\napproach to implementing OpenNet Plus, its program for providing this long-\nawaited capability. The approach includes a deliberate process for ensuring that\nbureaus and overseas missions meet established technical, physical, security, and\nmanagement requirements for Internet access before they are granted connectivity\nthrough OpenNet Plus.\n\n\n\nOIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002   1 .\n\n                                       UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\n          However, the Department has not instituted all of the policies needed to support\n      OpenNet Plus implementation\xe2\x80\x94particularly with regard to eliminating redundant\n      Internet connections once OpenNet Plus is deployed and monitoring employee use\n      of the Internet. By instituting the necessary policies, the Department will be able to\n      avoid duplicative costs arising from maintaining separate Internet networks. Estab-\n      lishment of a specific Internet monitoring policy and approach will also minimize\n      the potential for inappropriate use of the Internet in the workplace, and correspond-\n      ing wasted time and taxpayer dollars.\n\n\n\n      BACKGROUND\n      The OpenNet Plus project is intended to address the Secretary\xe2\x80\x99s commitment to\n      providing, as soon as possible, all Department employees with desktop access to the\n      Internet\xe2\x80\x99s World Wide Web to help carry out the foreign affairs mission. Access to\n      the Internet is being accomplished via the Department\xe2\x80\x99s existing global Open Net-\n      work (OpenNet) infrastructure. OpenNet serves as the foundation for sensitive but\n      unclassified information processing and communications among headquarters\n      organizations and over 260 locations worldwide and is used by most employees for\n      typical day-to-day operations and for e-mail. This network is mirrored on the classi-\n      fied side of the Department by a second network that supports secure office auto-\n      mation, e-mail, and limited web-based communications up to the secret level.\n\n          The OpenNet Plus program was preceded by a history of repeated efforts to\n      provide Internet access at the desktop. During the early 1990s, given the prolifera-\n      tion of personal computers and the increasing number of people turning to the\n      Internet for communications and research, the requirement for greater Internet\n      access in the Department became apparent. Questions were raised concerning how\n      to provide Internet access at the desktop for Department users in a secure manner.\n      Consequently, during the summer of 1996, the Bureau of Diplomatic Security (DS)\n      performed a risk assessment to determine whether the OpenNet infrastructure was\n      secure enough to support Internet service. DS completed its assessment, identifying\n      a number of vulnerabilities related to OpenNet access control, configuration man-\n      agement, and security oversight. At that point, the Department decided not to move\n      forward with plans for providing Internet access at the desktop, but to retain Internet\n      e-mail service only within the existing OpenNet infrastructure.\n\n          Given the vulnerabilities that DS identified with OpenNet, in 1996-97 the\n      Bureau of Information Resource Management (IRM) conducted a pilot test to\n      determine the feasibility of implementing another infrastructure for providing much-\n\n\n2 .            OIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002\n\n                                   UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\nneeded Internet service. As a result of the pilot, IRM instituted a third network, the\nRich Internet Access Network, which provided Internet access on a fee-for-service\nbasis for domestic organizations that requested it. Rich Internet Access costs ap-\nproximately $5,400 per person to cover requirements for additional desktop comput-\ners, as well as network support and administrative overhead. At the same time that\nRich Internet Access was deployed, bureaus, offices, embassies, and consulates were\nimplementing their own independent Internet access solutions. These included\ndedicated Internet local area networks and stand-alone Internet terminals.\n\n    With the integration of the United States Information Agency into the Depart-\nment on October 1, 1999, a fourth network was introduced, which also provided\nInternet access. This network, Public Diplomacy Network, is used for unclassified\ninformation processing and communications by employees within the Office of the\nUnder Secretary for Public Diplomacy and Public Affairs. With this addition, senior\nmanagers became concerned about the enormous cost of maintaining an IT infra-\nstructure that includes four separate networks. In 1999, the Department established\na team to research and consider alternative strategies for eliminating some of the\nredundancies and providing cost-effective Internet solutions. The following year, the\nUnder Secretary for Management approved a 90-day pilot program for the OpenNet\nPlus project, which permitted IRM employees to access the Internet at their desk-\ntops.\n\n    Although initially limited in its Internet access capabilities, OpenNet Plus is\nintended to provide a range of services previously unavailable to all Department\nemployees. For example, the program will provide desktop access to thousands of\npublic and private web sites, such as firstgov.gov and washingtonpost.com.\nOpenNet Plus will also support electronic transactions, such as purchasing computer\nequipment from online suppliers or buying books via amazon.com. Further,\nOpenNet Plus will enable collaboration among foreign affairs agencies as part of the\nDepartment\xe2\x80\x99s Foreign Affairs Systems Integration initiative, as well as provide a\nstrong foundation for modern \xe2\x80\x9ce-government\xe2\x80\x9d operations in accordance with\nrequirements of the Government Paperwork Elimination Act. Additional Internet\nservices will be added to OpenNet Plus as the program evolves and as new require-\nments, technologies, and effective security techniques are developed.\n\n\n\n\nOIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002   3 .\n\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n      REVIEW FINDINGS\n\n      STRUCTURED APPROACH TO OPENNET PLUS\n      IMPLEMENTATION\n      The Department is taking a structured approach to implementing OpenNet Plus.\n      This approach began with a pilot program, conducted from January through April\n      2001 with the participation of approximately 400 IRM employees. During the pilot\n      program, a contractor performed a vulnerability assessment of the Department\xe2\x80\x99s\n      systems security while IRM users were connected to the Internet. The study re-\n      vealed some security and administrative weaknesses currently being addressed by DS\n      and IRM.\n\n          Upon successful completion of the pilot, IRM established the OpenNet Plus\n      Project Management Office (PMO) to develop, execute, manage, and monitor the\n      program from the initial planning phase begun in May 2001 through the installation\n      phase, expected to be completed in May 2003. A major PMO responsibility is\n      coordinating with Department bureaus and overseas missions on a regular basis to\n      help them prepare for connection to the Internet. The Department authorized $6.2\n      million for OpenNet Plus rollout in May 2001 and, through its Information Technol-\n      ogy investment decisionmaking process for FY 2002, expects to allocate $109 million\n      to support deployment. The PMO provides monthly updates to the Under Secretary\n      for Management and the Chief Information Officer (CIO), the program sponsor, on\n      OpenNet Plus funding issues and progress toward meeting established milestones\n      and objectives.\n\n          According to foreign affairs regulations,1 the Managing State Projects methodol-\n      ogy must be used for managing the development of all IT projects that exceed one\n      year and cost over $500,000. In compliance with these regulations, the PMO used\n      the methodology to help develop a draft of the OpenNet Plus Project Plan in\n      October 2001. The plan outlines the resources and timelines needed for OpenNet\n      Plus deployment domestically and overseas. Based on the Managing State Projects\n      concept, the program will include five major phases\xe2\x80\x94study, acquisition, integration,\n      deployment, and installation.\n\n      1\n          Foreign Affairs Manual, chapter 5, section 621\n\n\n\n\n4 .                OIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002\n\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n    The PMO\xe2\x80\x99s initial strategy for OpenNet Plus deployment included development\nof a Connection Approval Process workbook, which outlines the procedures that a\nbureau, embassy, or consulate must follow to obtain approval for Internet access\nthrough the program. The entire connection approval process consists of multiple\nsteps to ensure that each Department organization meets information security\nrequirements. These steps also aid in the development of a technical strategy for\nmaking the connection to OpenNet Plus. The initial steps that must be completed\ninclude:\n\n      \xe2\x80\xa2    Designating and training Information Systems Security Officers to manage\n           the organization\xe2\x80\x99s IT security program;\n\n      \xe2\x80\xa2    Complying with systems security configuration guidelines;\n\n      \xe2\x80\xa2    Initiating development of IT contingency plans;\n\n      \xe2\x80\xa2    Controlling and standardizing systems configuration and change manage-\n           ment procedures;\n\n      \xe2\x80\xa2    Verifying compliance with hardware and software baseline configurations to\n           support a common operating environment; and\n\n      \xe2\x80\xa2    Ensuring that end users complete the required security training.\n\n     After a bureau or overseas mission has completed these initial steps in the\nConnection Approval Process workbook, DS performs an independent verification\nand validation of the site\xe2\x80\x99s systems and physical and technical environments. The\nindependent verification and validation, conducted in accordance with foreign affairs\nguidance,2 provides assurance that basic security controls are in place prior to con-\nnection to OpenNet Plus. DS can perform independent verification and validation\neither remotely, using technical tools and methodologies, or on-site at the individual\nDepartment organization. Because of time constraints, DS may in some instances\nuse remote tools to initiate the independent verification and validation process. DS\nwill coordinate with regional security officers on the physical and administrative\naspects of the process for those posts that undergo remote independent verification\nand validation. DS will be unable to perform independent verification and validation\non-site at all embassies and consulates, but hopes to visit at least 60 percent of all\noverseas locations to do the tests.\n\n\n\n2\n    Foreign Affairs Manual, chapter 12, section 600\n\n\n\nOIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002   5 .\n\n                                       UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n           As a result of independent verification and validation, DS can determine\n      whether a bureau, embassy, or consulate is in compliance with all connection ap-\n      proval process requirements. If fully compliant, DS recommends that the CIO\xe2\x80\x94the\n      Designated Approving Authority\xe2\x80\x94grant \xe2\x80\x9cinterim authority to operate,\xe2\x80\x9d or tempo-\n      rary approval for connection to OpenNet Plus. If not compliant with the connec-\n      tion approval process requirements, the bureau or overseas mission must first meet\n      all requirements before the interim authority to operate is granted. In addition to\n      meeting all connection approval process requirements, Internet connection is contin-\n      gent upon an organization\xe2\x80\x99s having adequate bandwidth\xe2\x80\x94the telecommunications\n      capacity required to support data transfer. The Diplomatic Telecommunications\n      Service Program Office is the Department\xe2\x80\x99s preferred bandwidth supplier for over-\n      seas sites. If the Diplomatic Telecommunications Service Program Office cannot\n      supply the technically required bandwidth within the established time frame, the\n      OpenNet Plus Program Office will obtain bandwidth via satellite or local Internet\n      service providers. In June 2001, IRM developed a capacity plan outlining the\n      Department\xe2\x80\x99s bandwidth requirements worldwide.\n\n          The final step in the connection approval process is a series of internal processes\n      that IRM must complete before activating OpenNet Plus at a given location. These\n      processes include reviewing independent verification and validation reports, validat-\n      ing bandwidth availability, and issuing compliance agreements for management\n      signature. As of the end of November 2001, the Bureau of Economic and Business\n      Affairs, part of IRM, the Warrenton Training Center,3 and Embassy Nicosia had\n      been connected to OpenNet Plus. In addition, parts of Embassy New Delhi,\n      Embassy Mexico City, and domestic organizations included in the Department\xe2\x80\x99s\n      Foreign Affairs Systems Integration pilot program have also received access to\n      OpenNet Plus, which is needed to support web-based data sharing and exchange\n      among foreign affairs agencies.\n\n          After connection to OpenNet Plus, a bureau or overseas mission must prepare\n      for certification and accreditation\xe2\x80\x94a structured process for ensuring IT security risk\n      management in compliance with Department and federal directives. Specifically,\n      \xe2\x80\x9ccertification\xe2\x80\x9d is the independent, comprehensive evaluation of the technical and\n      non-technical security features of an information system. \xe2\x80\x9cAccreditation\xe2\x80\x9d is the\n      subsequent formal acceptance of the risks identified through certification and\n      approval to operate the system, ensuring that the accredited security posture will be\n      maintained throughout the system life cycle. The minimum standards, activities, and\n\n\n      3\n        This training center, located in Warrenton, Virginia, is part of the Foreign Service Institute\xe2\x80\x99s\n      School of Applied Information Technology.\n\n\n\n6 .              OIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002\n\n                                     UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\nmanagement structure for certification and accreditation are prescribed in the Na-\ntional Information Assurance Certification and Accreditation Process developed by\nthe National Security Telecommunications and Information Systems Security Com-\nmittee. This document also outlines the roles and responsibilities of those involved\nin the process. Within the Department, DS serves as the Certification Authority\nresponsible for determining the level of residual security risk to an IT system and\nmaking an accreditation recommendation to the CIO, who is the Designated Ap-\nproving Authority. All bureaus and overseas missions must complete the certifica-\ntion and accreditation process to maintain their connection to OpenNet Plus.\n\n    In accordance with requirements of the National Information Assurance Certifi-\ncation and Accreditation Process, each Department organization undergoing\nOpenNet Plus certification and accreditation must also develop a systems security\nauthorization agreement. The agreement, initiated at the beginning of an IT project,\nis used to guide certification and accreditation activities and document agreement\namong the certifier, approving authority, user representative, and program manager\nto support the risk management process. The agreement is a compilation of various\ndocuments, including a description of the IT operating environment, a systems\nsecurity architecture, test plans and procedures, and certification results, that form\nthe baseline security configuration document. In the case of OpenNet Plus, each\norganization must complete specific portions of the systems security authorization\nagreement no later than nine months from the date that the interim authority to\noperate is granted.\n\n\n\nADDITIONAL POLICIES NEEDED TO SUPPORT OPENNET PLUS\nIMPLEMENTATION\nThe Department has not yet instituted all of the policy guidance needed to govern\nOpenNet Plus implementation. The OpenNet Plus PMO has taken a step in this\ndirection by identifying nine areas in which policies are needed to define and manage\neffectively the OpenNet Plus global infrastructure. These areas include asset man-\nagement, systems architecture and configuration standards, network monitoring, and\nsecurity.\n\n    Currently, some guidance exists in a few of the areas identified. Specifically, the\nDepartment\xe2\x80\x99s foreign affairs manuals include fairly comprehensive guidance regard-\ning software development, project management, and configuration management.\nHowever, the guidance is limited with regard to roles and responsibilities and internal\ncontrols for managing agency-wide IT programs such as OpenNet Plus. The PMO\n\n\nOIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002   7 .\n\n                                       UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\n      has begun to map the existing guidance to a \xe2\x80\x9cLeading Policy Practice Framework,\xe2\x80\x9d\n      which provides a strategy for enhancing the guidance or developing new policies to\n      support the OpenNet Plus program. For areas where no guidance currently exists,\n      the framework identifies target policies and establishes priorities for their immediate\n      or long-term development. According to the draft OpenNet Plus project plan, the\n      PMO will develop the required policies over the next 18 months.\n\n          OIG believes that continued progress in policy development is critical, especially\n      in two key areas. The first area involves having Department organizations eliminate\n      existing Internet connections after OpenNet Plus has been deployed. Currently, the\n      acquisition of Internet access is decentralized, allowing organizations to select from a\n      variety of methods to obtain such services. Domestically, bureaus have web access\n      through IRM\xe2\x80\x99s Rich Internet Access, Internet Local Area Networks, stand-alone dial-\n      up connections, and the Public Diplomacy Network. With the exception of IRM\xe2\x80\x99s\n      Rich Internet Access, overseas embassies and consulates also use these same means\n      to access the Internet. In many cases, Internet access requires that an employee have\n      an additional workstation on the desktop or use shared terminals. OpenNet Plus\n      deployment, as previously discussed, is intended to standardize how the Department\n      acquires Internet service and eliminate the need for separate networks and\n      workstations.\n\n          In the absence of a central policy several bureaus and overseas missions have\n      indicated that they expect to keep their separate Internet connections after OpenNet\n      Plus is implemented, resulting in redundant capabilities. Their reasons for keeping\n      the existing connections include having back-up Internet service in case OpenNet\n      Plus becomes unavailable or ensuring additional capabilities (i.e., remote log-in and\n      audio- and video-streaming) that currently are not offered through the OpenNet Plus\n      program.\n\n          Based on our preliminary analysis of selected Department data on Internet\n      service costs, overseas missions are spending almost one million dollars per year to\n      maintain their separate Internet connections. To eliminate the duplicative Internet\n      service costs, the Department needs to institute a policy requiring that bureaus,\n      offices, embassies, and consulates discontinue or shut down their independent\n      Internet connections after OpenNet Plus is implemented, unless a business case is\n      provided to justify continued use. The Director of the OpenNet Plus PMO recently\n      stated that a policy is being drafted and will be presented to the Department\xe2\x80\x99s IT\n      Change Control Board for review. This board, created in October 2001 and chaired\n      by IRM, manages changes to the Department\xe2\x80\x99s global environment.\n\n\n\n\n8 .            OIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002\n\n                                   UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n     Recommendation 1: We recommend that the Bureau of Information Re-\n     source Management develop and implement a policy that directs bureaus, of-\n     fices, embassies, and consulates to terminate existing Internet services once\n     OpenNet Plus is deployed. The policy should include how long legacy Internet\n     connections may remain in service during the transition to OpenNet Plus. The\n     policy should also outline how a bureau, office, embassy, or consulate can peti-\n     tion to keep its existing Internet connections by making a detailed business\n     case.\n\n\n    A second area of OIG concern is the sensitive issue of monitoring employee use\nof the Internet within the Department. As with any other organization providing\nInternet service at the desktop, such access can result in employee misuse and/or\nabuse. Employees can spend large periods of government time using the Internet\nfor personal reasons and/or accessing inappropriate sites. Various publications\nidentified a number of instances where employees in some industries and govern-\nment agencies accessed the Internet at work for pleasure or to conduct personal\nbusiness. This can lead to workplace inefficiencies, wasted taxpayers\xe2\x80\x99 dollars, hostile\nwork environments, and lawsuits. Even with the limited Internet access currently\navailable, the Department has already experienced some abuse by its employees. For\nexample, a Foreign Service officer assigned overseas was suspended for ten days for\nusing a government computer to access a pornographic web site.\n\n     The Department has taken some steps that begin to address this issue. Specifi-\ncally, in March 2000, the Under Secretary for Management instituted a policy that\nallows employees limited use of government equipment for personal reasons.4\nIncluded in this policy is use of the Internet, as long as it does not result in increased\ncost to the Department. Employees are allowed to use the Internet in moderation\non personal time for matters that are not directly related to official business. The\npolicy also states, however, that employees can have no expectation of privacy while\nusing any government-provided Internet service. Employees are also to conduct\nthemselves professionally in the workplace and to refrain from using Department\nresources for activities that may be offensive to coworkers or the public. These\npolicies are outlined in several foreign affairs regulations, some of which are awaiting\nfinal clearance.5\n\n\n4\n    Department Notice 2000-03-35, \xe2\x80\x9cPersonal Use of Government Equipment,\xe2\x80\x9d March 17, 2000.\n5\n Foreign Affairs Manual chapter 5, section 700 (awaiting clearance) and chapter 12, section 600,\nchapter 5 section 516.3-3.\n\n\n\n\nOIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002       9 .\n\n                                       UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n           Further, the Department is working to prevent employee access to inappropriate\n       Internet web sites. Specifically, the Department has installed an off-the-shelf soft-\n       ware program that blocks access to certain sites. The software serves as a firewall,\n       blocking user access to prohibited sites that contain nudity, sexually explicit material,\n       profanity, gambling, or racist and sexist propaganda. In addition, the software gives\n       the Department\xe2\x80\x99s Network Control Center the capability to block sites not contained\n       in the software database. The database is updated daily to reflect any new sites or\n       changes to existing ones. Because of incompatibility with another firewall, the\n       content blocking software was off-line from October to late November 2001. Dur-\n       ing this period, the Department utilized manual means to regulate access to the\n       Internet. IRM ultimately modified the firewall configuration to restore the software\n       to service.\n\n           Instituting employee equipment use policies and the content blocking software\n       are steps in the right direction. However, more is needed. Specifically the Depart-\n       ment has no guidelines in place to address how or whether it will monitor employee\n       compliance with existing use policies as they relate to the Internet. Before instituting\n       such Internet monitoring, the Department will first have to determine the extent to\n       which it is necessary and who will be responsible for conducting it. Further, the\n       Department will also need a strategy to enforce compliance or address violations.\n       Implementing the policies as OpenNet Plus is deployed should help eliminate\n       problems before they arise. Such policies would also provide a general understand-\n       ing of how IRM or supervisors will monitor Internet use and what repercussions\n       employees will face if they abuse their Internet privileges.\n\n\n          Recommendation 2: We recommend that the Bureau of Information Re-\n          source Management, in collaboration with the Bureaus of Diplomatic Security\n          and Human Resources, develop and implement specific policies that address\n          how the Department will monitor Internet use by employees and the extent to\n          which such monitoring will be done.\n\n\n\n\n       INFORMATION SECURITY ISSUES\n       Although OpenNet Plus will provide employees with ready access to a range of web\n       information and resources, it will also pose potential IT security risks for the\n       Department\xe2\x80\x99s data processing operations. As discussed above, desktop access to the\n       Internet will be provided via the Department\xe2\x80\x99s OpenNet infrastructure, a sensitive\n       but unclassified network that connects embassies, consulates, and domestic facilities\n\n\n10 .             OIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002\n\n                                     UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\nto support global communications and services. This network contains proprietary\nand critical mission and business data\xe2\x80\x94financial, personnel, foreign affairs, and visa\ninformation\xe2\x80\x94that must be protected against loss, destruction, or compromise. Due\nto the sensitive nature of these issues, the details on our information security find-\nings and recommendations will be included in a separate product.\n\n\n\nDEPARTMENT COMMENTS AND OUR EVALUATION\nWe obtained written comments on a draft of this report from the Bureaus of Infor-\nmation Resource Management, Human Resources, and Diplomatic Security. We\nhave included copies of the comments in their entirety at Appendix B.\n\n    In its response, IRM concurred with Recommendation 1 regarding terminating\nexisting Internet connections once OpenNet Plus is deployed. IRM stated that the\nbureau has already drafted a policy in this regard, very similar to the suggestion\noutlined in our report. The next step will be to have the policy approved by the IT\nChange Control Board, chaired by IRM and comprised of executive representatives\nof organizations across the Department with responsibility for managing changes to\nthe Department\xe2\x80\x99s global IT environment.\n\n      IRM agreed that Recommendation 2 concerning monitoring Internet usage\naddresses significant issues for the Department. However, IRM did not believe that\nit is in a lead position to develop and implement policies on such issues. IRM stated\nthat it has taken responsibility on the prevention side by using technology to prevent\nemployee access to Internet sites for illegitimate purposes. IRM also stated that the\nDepartment has existing policies to govern abuse of equipment such as telephones\nand that potential Internet abuse does not require a separate policy. Similarly, Hu-\nman Resources also believed that Recommendation 2, directed to that bureau, is\ninappropriate. The bureau stated that the Department\xe2\x80\x99s Discipline Program, in-\ncluded in existing foreign affairs guidance, already outlines roles and responsibilities,\nenforcement procedures, and penalties for employees who abuse and/or misuse the\nInternet.\n\n    OIG agrees in part with the comments provided by IRM and Human Resources\nwith regard to Recommendation 2 and has revised the recommendation, eliminating\nthe requirement for additional personnel policies on Internet use. However, OIG\nbelieves that the Department still needs to assign responsibilities and develop guide-\nlines for monitoring employee compliance with existing policies as they relate to\nInternet use. OIG also believes that the Discipline Program that Human Resources\n\n\n\nOIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002   11 .\n\n                                       UNCLASSIFIED\n\x0c                                    UNCLASSIFIED\n\n\n\n       cited does not address how the Internet monitoring will be done. In addition, if the\n       Department determines that line managers need to monitor employee use of the\n       Internet, we agree with IRM\xe2\x80\x99s suggestion that training be provided in this regard.\n\n           In its comments, DS did not respond to Recommendation 2, which we directed\n       to the bureau for action. DS only provided clarification on information security\n       processes and requirements, which we have incorporated in the text above.\n\n\n\n\n12 .            OIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002\n\n                                    UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\nAPPENDIX A                                                                 APPENDIX A\n\n\n\n\nPURPOSE, SCOPE AND METHODOLOGY\nTo fulfill our review objectives, we obtained background information on the existing\nOpenNet infrastructure, resources, and capabilities. We also studied networks\ncurrently in place to support Internet access\xe2\x80\x94Public Diplomacy Network and Rich\nInternet Access Network\xe2\x80\x94their capabilities, operations, and effective practices. We\nexamined a range of IT and security guidance, including federal laws and policies\nand Departmental regulations applicable to the implementation and deployment of\nIT systems for web access.\n\n    We met with officials from IRM to discuss the Department\xe2\x80\x99s approach to identi-\nfying the risks, timelines, and resources needed for OpenNet Plus implementation.\nWe attended OpenNet Plus weekly briefings to monitor the status of the program.\nWe interviewed officials from the Office of International Information Programs to\ntalk about their current network available to provide web access to Public Diplomacy\nusers worldwide. We also met with officials from DS to discuss the Department\xe2\x80\x99s\nplans for assessing IT security and possible solutions for managing the risks to\ninstalling OpenNet Plus at the desktop.\n\n    In conducting this review, we focused on assessing the results of the 90-day\nOpenNet Plus Pilot, which started in January 2001, and evaluating the Department\xe2\x80\x99s\nplans for initial deployment of OpenNet Plus. We did not visit embassies or consu-\nlates to assess local capabilities, security risks, or current web access network configu-\nrations.\n\n    We conducted our review from May to November 2001 at the Department in\nWashington, DC. We performed our work in accordance with generally accepted\ngovernment auditing standards. Major contributors to this report were Frank Deffer,\nSondra McCauley, John Shiffer, and Maria Cunningham. Comments or questions\nabout the report can be directed to Mr. Deffer, IT Evaluations and Operations, at\ndefferf@state.gov or (703) 284-2715.\n\n\n\n\nOIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002   13 .\n\n                                       UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n\n\n14 .   OIG Report No. IT-A-02-03, Challenges to Successful OpenNet Plus Implementation \xe2\x80\x93 March 2002\n\n                           UNCLASSIFIED\n\x0c\x0c\x0c\x0c'